Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Spam China Microsoft The Internet Technology

Hotmailers Hawking Hoax Hunan Half-Offs 135

Frequent Slashdot contributor Bennett Haselton writes "An estimated 200,000 Hotmail users currently have their auto-reply set to a message spamming an advertisement for Chinese scam websites, which sell "discounted" electronics. Presumably the spammers compromised a large number of Hotmail accounts to pull this off, but wouldn't it be pretty easy for Hotmail to query for which users have that set as their auto-reply, and turn the auto-reply off for them?" Read below for Bennett's thoughts.

After a recent mailing that I sent out to a subset of my proxy mailing list, I got back 18 auto-replies from Hotmail users, all substantially similar to this:

Dear friend:
We are an electronic products wholesale .Our products are of high quality and low price. If you want to do business , we can offer you the most reasonable discount to make you get more profits. We are expecting for your business.

Please visit our website: www.wedosale.com

Email: wedosale@vip.188.com .
MSN: wedosale@hotmail.com .

Looking forward to your contact and long cooperation with us!

Our mainly products such the phones, PSP, display TV, notebook, video, computers, Mp4, GPS, xbox 360, digital cameras and so on.

Welcome to visit our website!

Some of the spam auto-replies advertised different websites, and the wording varied between the different auto-responses, but they were all similar advertisements for Chinese electronics "retailers." (And so, I assume, the websites are all fronts for the same company -- if multiple spammers had independently hacked Hotmail users' accounts to set their auto-replies, it would be vanishingly unlikely that those spammers would all happen to be electronics hawkers.) This was from a mailing that I sent to a set of subscribers that included about 26,000 users with "hotmail.com" e-mail addresses. If 18 out of 26,000 users in my sample have had their accounts hacked to send spam auto-replies, then this must be happening to a large number of Hotmail users -- not a large proportion (only one in 1,500, in my sample), but with about 300 million Hotmail users, that would still be a large absolute number.

The same spammers have apparently been spamming through Hotmail auto-replies for at least 11 months, according to this post in the Windows Live Help community forum from January 2009. At first, some pundits seemed to have assumed that spammers had created these accounts themselves and subscribed the accounts to people's lists, in order to spam the list owners (and, if it's a list that accepts subscriber posts, broadcast the spam to the other list readers). However, looking at the addresses in my proxy mailing list that were sending the spam auto-replies, I noticed that (1) our records show that the auto-reply-spamming subscribers joined the mailing list by various means, signing up through different Circumventor websites, not indicative of how a spammer would have joined the list by automated means, and (2) many of their email addresses are associated with legitimate-looking Myspace and Facebook accounts. Thus it looks as if these were real users who joined the list legitimately, and then got their accounts hacked by the spammers, who set those users' accounts to send the spam as an auto-response.

(If you happened to look at the spammers' www.wedosale.com website, at this point you might be thinking: I don't want to give money to spammers, but can I really get a Blackberry for only $295? Couldn't I just order from the website, and then if the goods don't show up or they're not as advertised, I can dispute the charge on my credit card? Well, I signed up for a dummy account on the www.wedosale.com page and got as far as the order page, and the only payment types that they accept are wire transfer, Western Union, and Moneygram -- precisely those types where you cannot get the money back or dispute fraudulent charges. If you've already gone and ordered a Blackberry, don't hold your breath.)

If my 26,000 users were a representative sample of the 300 million current Hotmail users, then with 1 out of 1,500 users in my sample being "infected," I could estimate that about 200,000 Hotmail users (1/1500 times 300 million) are currently set to send spam auto-replies. Hotmail claims to process 3 billion non-spam e-mails per day, for an average of about 10 non-spam e-mails per Hotmail user. That's the average for all users; what's the average for the infected users? Some factors would tend to lead to a lower average for infected users -- if they have lots of friends sending them mail, it's more likely that one of their friends would have told them about the auto-reply spam and told them to turn it off, so perhaps the users still sending the spams are the ones who don't receive a lot of messages from their friends. On the other hand, some of the infected accounts may be receiving more (non-spam) e-mail than average; one reason people sometimes abandon webmail accounts is that they're getting too much mail, even from newsletters like the Circumventor list that they had legitimately subscribed to. So, figuring that factors in both directions roughly cancel out, if each infected user is receiving the average number of 10 emails per day and sending 10 auto-reply spams in response, that's still a total of 2 million outgoing spams per day shilling for nonexistent Chinese iPhones.

These are just back-of-the-envelope calculations, but even I'm overestimating by a whole order of magnitude, that's still 0.2 million auto-reply spams per day, or about 70 million spams that will be sent by this one company through Hotmail's servers in the coming year, if Hotmail doesn't stop it. (And closer to a billion spams in the coming year if I'm not overestimating.)

And it's actually worse than that, because these spams are less likely than average to be filtered, since they're coming from Hotmail's servers. Normally you'd think that the content-based module of a spam filter would have no problem catching a message like the one at the top of this article, especially if millions of similar messages have been spewed out over the past year. However, messages from Hotmail's servers, regardless of content, are less likely to be blocked, since their network has a good reputation for sending little spam overall (due to measures such as requiring users to fill out a CAPTCHA when signing up, blocking each account from sending more than 500 messages per day, etc.). When I sent messages to the infected Hotmail users from my Gmail account, to see if the auto-responses would get through Gmail's spam filter, Gmail's blocked only half of the replies. When I mailed all the users again from my Hotmail account, the results were strange -- most of the users' accounts sent back no auto-reply at all, not even a reply that got routed to my junk folder. (Why would Hotmail accounts not send an auto-reply in response to a message from a Hotmail user? Please post if you have any idea what's going on there.) However, of the infected Hotmail accounts that did send a spam auto-reply, 100% of those auto-reply spams were delivered to my inbox. (Apparently, Hotmail's spam filter usually assumes that messages from other Hotmail users can't possibly be spam.) Only Yahoo Mail's spam filter, when I sent a test message to the infected users from my Yahoo Mail account, blocked all of the auto-replies as junk mail.

For the infected users on my mailing list, I sent them a link to a set of instructions I'd written about how to set and un-set their Hotmail auto-reply and how to change their Hotmail password, with the hopes that they'd eventually see the message and follow the steps. 18 users rescued, 200,000 to go.

So this is basically what's happening, but it still leaves some unanswered questions, such as: Why Hotmail accounts, but not Yahoo Mail, GMail, or AOL accounts? I've never noticed any auto-reply spam sent from any accounts at any of those other services. Whatever the spammers did to gain control of so many Hotmail accounts, if it was profitable for them, why didn't they do the same thing for Yahoo Mail? And, why did only one spammer do this? If they're sending between 1 and 10 million spams per day for free, they're probably making money at it. Whatever they did to hack those accounts, why wouldn't other spammers figure out the same method and copy them?

Presumably the Chinese spammers stole large numbers of passwords from Hotmail users either via a huge phishing attack, or through a security hole in Hotmail or some other part of the Windows Live service. If it was done via a security hole in Hotmail that the spammers discovered, then that would explain why the spammer's methods only worked for Hotmail accounts, and also why no other spammers have copied their techniques. (A phishing attack, on the other hand, would be easy to modify for other webmail services, and would also be easy for other spammers to emulate, so that's not consistent with the observed evidence so far.) I also found this post from blogger Stuart Shelton describing how his account was hacked by Chinese spammers -- and from the blog post, it's clear that he's very tech-savvy and would have been unlikely to fall for a run-of-the-mill password phish. If the attack happened even to people who know what they're doing, that seems to make the security hole explanation more likely.

Perhaps others can come up with some theories about what happened. It's easy to come up with guesses, but the hard part is to reconcile them with the fact that it has only affected Hotmail users so far, and no other spammer seems to have figured out how to copy the same technique yet.

But there's a much simpler question too: Why doesn't Microsoft just turn off the auto-replies for these users' accounts? They can query to see exactly which users have these messages in their auto-replies, and then un-set the auto-reply automatically. Yes, I know that even for a simple database operation like that, there's always more to it when you're managing hundreds of millions of accounts across multiple servers -- but if it will stop this one sender from sending between 50 million and 500 million spams (that in many cases will bypass people's spam filters) from Hotmail's servers in the coming year, isn't it probably worth it?

And even if it wasn't a phishing attack this time, sooner or later some other spammer will probably capture tens or hundreds of thousands of Hotmail accounts using a phish or some other method, and try spamming through auto-replies as well. So if Hotmail "fixes" this batch of auto-reply spam for practice, then the next time it happens, they'll know exactly what to do to take care of it.

I've written some columns where I strongly believed every word but expected a lot of opposition, some where I wasn't sure if I was right and just wanted to see what people thought, and . But I rarely argue something that I think is a no-brainer. Hotmail should un-set the auto-replies for those users whose accounts are spamming for nonexistent Chinese electronics knockoffs, before those accounts send another several hundred million spams in the coming year. Am I smoking crack?

Then again, maybe expectations for Hotmail shouldn't be set too high. I use SpeakEasy for my mail provider, and on about November 19th I found that all messages sent to hotmail.com addresses from SpeakEasy's servers were being bounced with an error message rejecting them for "spam-like characteristics."I called SpeakEasy and they confirmed that they knew Hotmail was blocking all mail from their users (although for "security reasons," SpeakEasy couldn't tell me what they were trying to do about it). The block wasn't lifted until about November 28th, when my messages started getting through again.

If SpeakEasy, which has been in business for 15 years, has annual revenues of $60 million, and was bought in 2007 by Best Buy, can't even get through to Microsoft in less than 10 days to tell them to stop blocking all mail from their servers, then Microsoft should first fix their postmaster trouble ticket system, so that people are not blocked from writing to their friends and family members at Hotmail for a week and a half. Then get to work on the spam auto-responders.

This discussion has been archived. No new comments can be posted.

Hotmailers Hawking Hoax Hunan Half-Offs

Comments Filter:
  • tl, dr (Score:5, Insightful)

    by spun ( 1352 ) <loverevolutionary&yahoo,com> on Thursday January 07, 2010 @04:08PM (#30687548) Journal

    Wow, Bennett. You sure do like the sound of your own typing, don't you? You could really have said all that in 1/10th the space.

    • Re:tl, dr (Score:5, Interesting)

      by SUB7IME ( 604466 ) on Thursday January 07, 2010 @04:14PM (#30687630)

      Regardless of the information density of his post, I disagree with his assertion that Hotmail should flip the 'autoreply' bit on these accounts. I do not think Hotmail wants to get involved in guessing whether or not someone intended to set any particular auto-reply message: "Surely, Mr. Jones, you didn't intend to drop an F-bomb in your auto-reply."

      More to the point, these are hacked accounts. If you were going to take any action, *disabling* (even temporarily) the accounts and flagging them for forensic follow-up would strike me as more appropriate.

      • Regardless of the information density of his post, I disagree with his assertion that Hotmail should flip the 'autoreply' bit on these accounts. I do not think Hotmail wants to get involved in guessing whether or not someone intended to set any particular auto-reply message: "Surely, Mr. Jones, you didn't intend to drop an F-bomb in your auto-reply."

        Even if the Hotmail user *DID* intend on being part of some Chinese SPAM, Hotmail has every right and even possibly some responsibility to not allow that particular use of their email system.

        • by SUB7IME ( 604466 )

          Did you read the rest of my post (the part that you didn't quote) where I addressed the actions that they should take, instead of just turning off autoreply?

          Your tone seems to be that of disagreement, but your words recapitulate what I already said.

        • But they do not have the right to read their users' bounce messages. If they do, it sets a precedent -- that they show willingness to police content this once will easily lead to them HAVING to police it.
          Next will be demands by right wing moral bigots (but, I repeat myself) who object to profanity, URLs to "adult" sites (think of the children!), or other materials that are objectionable to them.

      • my wife and daughter both have had their hotmail accounts "used". Maybe "hacked" the right word, but i am still not clear about the actual use/abuse.misuse/attack vector. My daughter only uses the account for MSN with a small group of friends. She never actually opens the hotmail interface. My wife used her hotmail daily, but on a Ubuntu laptop with firewalled router, firewalled network inside the home and an iptable firewall on the lappie itself. Call me paranoid but we live in China and our wireless is pr
      • I hate long winded hot bags that like the sound of their own voice, however if hotmail spam is a problem for M$, by forcing people to actually write emails, and turning off the auto replay, or maybe making it a pay per send scheme, you would get all those spammers out of hotmail business....this point does work, and I do agree, make it so easy for M$ to implement that they do it for the sake of looking good to their customers.

        I myself never use auto reply, and never will...dont need to, but having it disabl

    •     tl.dr. Something about a guess of the number of accounts set with spammy autoresponders. He does know that it's hotmail, so most of the autoresponses are going back out to other spammers, right? It sounds like a nice spammy feedback loop.

    • by u38cg ( 607297 )
      If only there was a way to query slashdot to only return stories which do not have the Bennet Haselton spam content...
    • Although amateur, author affirming alliteration actualizes an awful article.

      But that's KDawson for you.

    • Wow, Bennett. You sure do like the sound of your own typing, don't you? You could really have said all that in 1/10th the space.

      TL;DR

    • I couldn't get past the idiotic headline. I figure, if the author thinks he has a captive audience for his exaggeratted wittiness, it's probably not worth even looking at the article/summary.
  • Better idea (Score:3, Interesting)

    by MichaelSmith ( 789609 ) on Thursday January 07, 2010 @04:09PM (#30687566) Homepage Journal

    For the infected users on my mailing list, I sent them a link to a set of instructions I'd written about how to set and un-set their Hotmail auto-reply and how to change their Hotmail password, with the hopes that they'd eventually see the message and follow the steps. 18 users rescued, 200,000 to go.

    Why don't you just send them information on how not to use hotmail. And while you are at it, why are you sending mass emails to a bunch of obviously clueless people? Are you a spammer?

    • Similar reasons for which people suggest Bing, I suppose :-(
    • It's a mailing list of web proxies [peacefire.org]. Browser-based proxies are popular with clueless people who don't know better ways of circumnavigating web filtering.

            --- Mr. DOS

      • Browser-based proxies are popular with clueless people who don't know better ways of circumnavigating web filtering.

        I must have missed Clue, issue #57. What better ways are there?

        Tor? That's slow. Set up a shell account and your own proxy? Why bother if it's not on your machine (and so you shouldn't trust it) anyways? Get a VPN exit at Relakks or something? Those cost money; "free" beats that.

        Exactly what better alternative do you have in mind?

        • Why not a variant of #2 or #3? Squid on your home server (my preferred option), or the VPN edition of DD-WRT. If you've got a home server, #2 is essentially free (although running a home server just for a proxy isn't cost-effective in terms of power consumption), and if you've got a DD-WRT-compatible with 4MB or more space for the firmware, #3 is free.

          Neither of these are really options for dummies, though.

          Oh, just thought of one circumnavigatory method that is - HTTPS! Many filters blindly let HTTPS connec

          • [...] on your home server

            And when traffic between my home and the tpb ip range (all tpb ranges?) is blocked, how do I get to the tpb from home?

            When there already are plenty of other machines I can bounce off of, why set up my own? Exactly what is gained?

            • ...how do I get to the tpb from home?

              Ah, so now we run into difficulties.

              Exactly what is gained?

              Mostly just privacy, although you're also gaining a certain degree of reliability: as it sounds like you might know, public proxies can be anywhere from terrible to OK, slower than frozen molasses to fairly speedy.

              In a case like yours, though, it sounds like privacy must be foregone for convenience. I hope your ISP smartens up soon for you!

              --- Mr. DOS

  • Can we have the mail addresses in the "ad" changed to MailTo: links so the spam bots that troll /. have an easier time rendering the contact info useless?
    • My email is far from useless. Email address obfuscation is security theater.

      • by kliklik ( 322798 )

        Why do you think it's a security theater? I'm sure some implementation of email obfuscation are weak and there are already bots that can harvest for example someone at example dot com or similar, but stronger techniques should be able to fool the bots.

  • Why Hotmail accounts, but not Yahoo Mail, GMail, or AOL accounts?

    My uneducated guess is the simplest reason for it: of the pervasive services (MSN Games, XBox Live, etc) that comprise the entire "Windows Live" experience, one has become susceptible to some form of attack. Maybe it's not even full fledged access but some sloppy development that gave someone the ability to set your auto-response on and text to it if they only know your e-mail address? I don't know if Windows Live has a common sort of authentication service that is so familiar with all Google Apps or Yahoo's many applications but I'm guessing that someone: 1) figured how to hack a MSN app or 2) figured how to monitor one or (most likely) 3) made a page that passed as an MSN log in page and figured how to get on Facebook and Myspace and circulate the link. Once you logged in, they redirected you to the real page and just went about logging your log in information. You kind of touched on this later but didn't run with it when you said:

    Presumably the Chinese spammers stole large numbers of passwords from Hotmail users either via a huge phishing attack, or through a security hole in Hotmail or some other part of the Windows Live service.

    That's my guess. I wouldn't put it past any of these e-mail providers to slip up when trying to link together seventy different applications to one set of credentials. Convenience always comes at a cost.

    • Or yahoo/google already cleans up auto-reply spamming.

      Or this problem does exist with yahoo, gmail, and AOL.

    • by lpaul55 ( 137990 ) *

      I got one of these from a hijacked Yahoo! mail account. This isn't limited to HotMail.

    • Re: (Score:1, Informative)

      by charlieman ( 972526 )

      Check who has Deleted you from their contact list on MSN at http://checkmsnstatus.com/ [checkmsnstatus.com].

      • Check who has Deleted you from their contact list on MSN at http://checkmsnstatus.com/ [checkmsnstatus.com].

        That's either informative, or you're trying to make matters worse for someone.
        Really, what were you trying to accomplish by posting that? Maybe next time add a better guiding text.

    • A couple of months ago I got emails from other hotmail users giving me a link to a site which offered to check who was blocking or deleted me on msn messenger - just give msn/hotmail address and password to check.
      checking the site showed it was registered in china.

      I sent a reply or two to the hotmail users who's accounts had been used to send me the link to the site. I guess theres plenty of people trusting enough to give away their passwords. Especially when the link appears to come from a friend.

      http://ha [aww-you-got-blocked.com]

  • I didn't bother reading the full summary, but I wonder what technique the hackers were using to only hit 200,000. If it was by individual account, thats some pretty tedious changes to make.
    If they managed to hack the computers, why not set up a spamming botnet the good old fashion way?
    If they managed to hack hotmail, why not infect them all?

    My guess is they were using some phishing to get usernames and passwords?

    • by Dogun ( 7502 )

      I suspect they purchased a block of accounts from someone who had a much bigger pool for sale.

    • If they managed to hack the computers, why not set up a spamming botnet the good old fashion way?

      If a company advertises on TV, why both with radio and print also? Simple: multiple outgoing streams of your information improves the total number of people that will see your advert. This works the same for spammers as it does for people who bombard our senses with product information and/or brand identity by more legitimate means.

      Maybe the fishing attacker got lucky and at the same time as picking up a new account to use, the browser used to enter the information was also vulnerable to some sort of drive-

      • Open a chain of internet cafes in china
      • Load each machine with a hacked copy of windows which logs user names and passwords
      • Collate user names and passwords on a central machine
      • ??? Not required
      • Profit!
      • by Bert64 ( 520050 )

        By doing that, you would get usernames and passwords for all kinds of services, not just hotmail...
        Also, 99% of your accounts would be chinese.

    • I didn't bother reading the full summary, but I wonder what technique the hackers were using

      Maybe if you had have read the full summary you wouldn't have had to have asked such a stupid question.

  • TL:DR (Score:5, Insightful)

    by AliasMarlowe ( 1042386 ) on Thursday January 07, 2010 @04:19PM (#30687676) Journal

    drone, drone, drone, drone, drone, drone...
    a spammer hijacked autoreply on less than 0.1% of Hotmail lusers.
    drone, drone, drone, drone, drone, drone...

    Summarized that for you.

    I get very similar spam, often masquerading as replies, but never actually a reply from anyone I sent mail to. It's possible that the "autoreply" is just demonstrating that the bot is smart enough to inspect incoming mail as well as harvest the contact list on the infected machine.

  • by Anonymous Coward
    that MS is not in on this. The anti-spam law PURPOSELY allows the ISP to spam all they want. MS was working with the guy from Denver, Eddie Davidson, until MS got greedy. They were charging 1 million/month for x amount of spams to be sent to their hotmail and MSN account. Then MS told the guy that they were upping the rate to 5 Million. So Davidson decided to approach Qwest. The deal was 2 million, the fake IPs, and of course, the cooperation on the DNS. Same deal as MSN, but at half the new price. His rea
    • Re: (Score:3, Interesting)

      by JWSmythe ( 446288 )

      Did you happen to have a Hotmail account before Microsoft bought them? If you did, you would have seen the marked increase in spam coming in as soon as they took ownership. It wasn't just a little, it was huge. That was when I gave up my account. Well, I still have it, but it collects spam. There are thousands in that box now, which is hilarious since I never use it. I only log in occasionally to get a laugh of how many spams there are, and to see if anyone accidentally wrote to me ther

  • by eln ( 21727 ) on Thursday January 07, 2010 @04:21PM (#30687696)
    You said yourself, early in this unnecessarily long article, that the wording and URLs varied in these autoreplies. So, it seems like Microsoft would have to do more than just search for a particular string, and they'd run a very real risk of either not getting them all or, much worse, accidentally deleting someone's legitimate autoreply. Not to mention, just deleting autoreplies from the affected accounts isn't going to be a solution, because the spammers can just create new ones continually. I would imagine if this is as major a problem as you seem to think it is, someone at Hotmail is trying to figure out a good solution.

    This is a new and novel form of spamming, and presumably the spammers are using Hotmail in particular because they've managed to find an easy way to break into hotmail accounts in particular, and don't have the scripts written or whatever to break into yahoo, gmail, or other accounts. Hotmail has lots of users, if you can break into them, you've likely got enough accounts that you don't need to break into the others. Maybe Hotmail will figure out a way to combat this at some point, and the spammers will move on to another provider.

    Also, this whole article seems like an overly long and drawn-out way to advertise your own mailing list. I'm not saying that's what you're doing, but that's how it seemed to me.
    • by pgn674 ( 995941 )

      , and presumably the spammers are using Hotmail in particular because they've managed to find an easy way to break into hotmail accounts in particular, and don't have the scripts written or whatever to break into yahoo, gmail, or other accounts.

      Another situation that wasn't considered: Maybe the spammers did use phishing attacks to get into the Hotmail accounts, and could just as easily get in other web mail accounts. But, if the spammers found an easy way to automate the setting and altering of auto-replies in Hotmail but not in other web mail accounts, then they would probably only set auto-replies on Hotmail accounts.

    • by orkysoft ( 93727 )

      I think this "easy way to break into hotmail accounts" is just a collection of websites that offer ringtones or porn or something stupid like that, if only you enter your Hotmail address and password. They can then use that Hotmail/MSN account for spamming MSN contacts, setting autoreplies to spam, or similar stuff.

  • "Hotmail claims to process 3 billion non-spam e-mails per day"

    I don't beleive that there are 3 billion non-spam e-mails sent every day.

    • Re: (Score:3, Informative)

      by JWSmythe ( 446288 )

      No, that's very easy to believe.

      If their filters don't see a message as spam, then it is non-spam.

      My box currently has 3,000 emails in it. 2,000 are in the "Junk" folder. 1,000 are in the "Inbox." Therefore, I've received 1,000 non-spam emails.

      In reality though, not a single one of those emails was any sort of legitimate message.

      This is the top of my Hotmail inbox, that no one legitimate writes to. They're all non-spam according to Hotmail.

      • I've had Hotmail set to only accept mail from the people on my address book since the Junk folder was introduced, and spam STILL gets through.

  • Only hotmail? (Score:3, Interesting)

    by davosmith ( 1308917 ) on Thursday January 07, 2010 @04:23PM (#30687720)

    Why Hotmail accounts, but not Yahoo Mail, GMail, or AOL accounts? I've never noticed any auto-reply spam sent from any accounts at any of those other services.

    I've had this happen with friends' Yahoo accounts (also offering Chinese electronics), so it isn't exclusively a Hotmail problem.

    • We're getting it more from AOL than Hotmail, with the occasional bunch of Yahoos. AOL's reporting process, however, is useless, so all we do is block the compromised email addresses.
  • I found these juxtaposed blocks of text interesting:

    I've written some columns where I strongly believed every word but expected a lot of opposition, some where I wasn't sure if I was right and just wanted to see what people thought, and . But I rarely argue something that I think is a no-brainer. Hotmail should un-set the auto-replies for those users whose accounts are spamming for nonexistent Chinese electronics knockoffs, before those accounts send another several hundred million spams in the coming year. Am I smoking crack?

    Then again, maybe expectations for Hotmail shouldn't be set too high. I use SpeakEasy for my mail provider, and on about November 19th I found that all messages sent to hotmail.com addresses from SpeakEasy's servers were being bounced with an error message rejecting them for "spam-like characteristics.

    So on one hand you're advocating a no-brainer unsetting auto-replies that have Chinese knockoff sites and then to have Hotmail generated a system that automatically inhibits this for spammers. Because they'll just make another domain or make the domains dynamic so you can't just block based on a couple URLs. And the slippery slope might have a few people upset that their mom and pop business link on their signature in their away message keeps forcing Hot

  • Anti-spam activism is its own goal - if someone (e.g., Microsoft) is blocking mail as spam, well that is just too bad. Maybe it is spam and maybe it isn't - there is no accountability involved. Email is intended to be unreliable, so there can never be an assumption that your mail isn't going to be blocked as spam for any of a number of reasons.

    Further, why Microsoft doesn't "fix" these accounts is very simple - it isn't their problem. It might be their user's problem but again spam has it own rewards. N

    • by amorsen ( 7485 )

      Email is intended to be unreliable, so there can never be an assumption that your mail isn't going to be blocked as spam for any of a number of reasons.

      Email isn't intended to be unreliable. The various Internet email protocols were written in a way that makes the likelihood of failures low and practically guarantees you at least a message bounce. Spam has changed this in numerous ways, but there are two major ones. Systems now intentionally reject mail, even though it could have reached its destination, and bounce messages are no longer sent. You can't change the protocols that way and still have a reliable system, unfortunately, but it was never INTENDED

  • Moderation needed (Score:5, Insightful)

    by rudy_wayne ( 414635 ) on Thursday January 07, 2010 @04:27PM (#30687774)

    Can we mod this article -5 way too fucking long

    • Nah, I'd bottom it out at -4. I'd give it a +1 back for the atrocious abuse of alliteration.

      Yes, I know most would rather it take an extra -20 for that, but hey.

    • With that attitude, it's a good thing you don't do anything important, like build any devices that must conform to some sort of FCC standard. If you thought this was long, you'd probably die reading the USB standard or an RFC...

  • Well if my account was compromised, they'd only be spamming the spammers, since that's all that shows up to my hotmail account. It's my default email used when email is required for something.
    • Well if my account was compromised, they'd only be spamming the spammers, since that's all that shows up to my hotmail account. It's my default email used when email is required for something.

      I've found that Gmail does an excellent job of spam filtering and makes a good spam trap. Whenever I have to give out an email address I use my Gmail account, which I access via POP3 from Mozilla Thunderbird. I never see any spam unless I log in to the web interface and look at the spam folder.

  • When I mailed all the users again from my Hotmail account, the results were strange -- most of the users' accounts sent back no auto-reply at all, not even a reply that got routed to my junk folder. (Why would Hotmail accounts not send an auto-reply in response to a message from a Hotmail user?

    Perhaps to avoid an infinite loop of auto-replying between two compromised hotmail accounts?

  • It's a shame that there aren't any controls in place for Western Union or MoneyGram. At least the Credit Card companies leave you some manner of recourse against the dishonest. I understand that criminals will continue to prey on hope, but can't some of these companies assume a bit more responsibility than chiding their customers to be careful?
    • by Bert64 ( 520050 )

      Because they give out cash at the other end, once someone has walked away with the cash it's gone and there's no real way to trace it...
      Getting a merchant account which enables you to receive credit card payments is a fairly complex process which requires you to prove the legitimacy of your business and pay a fair amount for the service. It's typically also tied to a bank account, and the bank will freeze your account if they think your up to no good... If you regularly empty out all the funds that will tri

  • Is there any way to mod the title to troll?
  • Just what is so tough? Scan autoreplies for the spam sig and delete (leave ar set to blank). Spam affected [l]users with a msg.

    Or just turn off AR altogether. It's an optional feature, and people that rely excessively on the internet or optional features get what they pay for. There will be whiners! Which would they rather: buggy code or nothing? Bugfree code is _not_ an option. No service at all is. [intern BoFH]

    Sure, HotMail has egg all over its' face for allowing an exploitable hole (most likely)

  • Huh? (Score:1, Offtopic)

    by AP31R0N ( 723649 )

    Huh?

  • by Antiocheian ( 859870 ) on Thursday January 07, 2010 @04:55PM (#30688106) Journal

    I am currently engaged in wasting the time of a scam site by continuously asking instructions on how to pay with "Western UNION", how much euros the dollar is, how to explain to "Western UNION" that this is a legitimate transaction, what to do now, etc.

    All in the name of a Nokia model that doesn't exist.

    The goal is to type as little as possible and make them type as much as possible without giving pre-made answers.

    • Re: (Score:1, Funny)

      by Anonymous Coward

      Try forwarding them some Falun Gong literature. THAT would get an appropriate response from the Chinese government... XD

    • The goal is to type as little as possible and make them type as much as possible without giving pre-made answers.
      Sounds a lot like /.
  • by Dunbal ( 464142 ) on Thursday January 07, 2010 @04:56PM (#30688124)

    Trying to make a catchy sounding headline by using the same first letter in every word, while obfuscating the meaning is something that's only done by shoddy would be journalists. It ranks just below turning your headline into a question, and only proves the weak mind of the journalist in question when they a) actually spend time thinking of which words to use and b) pat themselves on the back for how clever they think they are.

  • XSS (Score:5, Interesting)

    by jamesh ( 87723 ) on Thursday January 07, 2010 @05:01PM (#30688222)

    This sounds suspiciously like something that could be implemented via cross site scripting. You visit a link and happen to be logged into hotmail and it magically changes your autoreply for you. Like that thing that kept turning my google safe search off.

  • They wouldn't need to hack any Windows Live accounts, I remember a few months ago a list of 10's of thousands of emails and passwords for some christian site were uploaded to 4chan, from this atleast 1 in 10 had used the same password for their email account. So just find a site with a good number of users and hack that.
  • I'm not too sure that gmail isn't a target... A couple weeks ago, my friend's Gmail account got hacked and the spammers sent the following message out to all his contacts:

    I am willing to give you a surprising happiness! Yesterday i had
    received the digtal camera which i ordered from ---www.wwooz.com--
    last week. its quilty is very good , and the price is very low.i am
    satisfied with it.

    If the products you expect is on the site, it is a wise choice for you
    to buy from this site.I believe you can get many surpri

  • "Why doesn't Microsoft just disable autoreplies like this?"

    OK, so suppose Microsoft were to do so. They have to expend a non-trivial amount of time to write a program to scan the Hotmail database, locate a set of potentially cracked accounts, and flip the bit - that's going to cost some amount of money.

    Then there is the very significant risk that they will piss off some users by incorrectly disabling their perfectly innocent autoreplies, which can lead to complaints that cost money to process.

    Then there is

  • You can go and see other people's "orders" on that wedosale site:

    http://www.wedosale.com/vieworders.asp?orderno=20100108063848 [wedosale.com]
    http://www.wedosale.com/vieworders.asp?orderno=20100108063731 [wedosale.com]
    http://www.wedosale.com/vieworders.asp?orderno=20100108064033 [wedosale.com]

    The order numbers are not sequential, they seem to be incremented by a random number each time but it would be easy to see what other people have ordered...
    The first part of the order number is clearly based on the date: 20100108

    The front page says you can pay wit

    • by ashitaka ( 27544 )

      Look at the order time. The order number is just the date and time. They'd better not have more than one order/second.

      Order No. 20100108063848
      Order Date 2010-1-8 6:38:48

      The site is just there to pick up personal info.

  • My sister's hotmail account was compromised by Chinese spammers, and the password as well as secret questions were changed. However hotmail support was able to recover the account by providing 'last successful logon location', where we usually used the service from, original secret question, details about emails inside. I expect hotmail was chosen as a target for the simple reason high volume of accounts i.e 270+ million accounts, vs gmail 140 million.
  • Or Gmail? Free email accounts are spammer magnets. Google doesn't even try hard to stop Gmail Account Creator [gmailaccountcreator.com] ("For when one email account isn't enough.") Mail from a Hotmail account just screams "loser". That thing should just die a quiet death, like GeoCities.

  • It sounds interesting.

  • Many yahoo accounts are hacked as well. I get a few autoreplies my way. I haven't seen that happen with gmail and aol though.

  • The headline for this article is not clever. It is unclear. Unclear is not the same as clever.
  • I'd buy an XBox360 or a PSP for $50 if I could get it, even counterfeit hardware. Just need a temporary card number with a $100 limit.
  • When I sent messages to the infected Hotmail users from my Gmail account, to see if the auto-responses would get through Gmail's spam filter, Gmail's blocked only half of the replies. When I mailed all the users again from my Hotmail account, the results were strange -- most of the users' accounts sent back no auto-reply at all, not even a reply that got routed to my junk folder. (Why would Hotmail accounts not send an auto-reply in response to a message from a Hotmail user? Please post if you have any idea what's going on there.)

    It was probably your emails getting binned as spam.

Never test for an error condition you don't know how to handle. -- Steinbach

Working...